**diff options**

-rw-r--r-- | design-documents/024-age-restriction.rst | 104 |

1 files changed, 96 insertions, 8 deletions

diff --git a/design-documents/024-age-restriction.rst b/design-documents/024-age-restriction.rst index efa140c2..48a258d1 100644 --- a/design-documents/024-age-restriction.rst +++ b/design-documents/024-age-restriction.rst @@ -103,8 +103,8 @@ TODO: Summarize the design based on the five functions ``Commit()``, Özgür and Christian is published. -Changes in the Exchange -^^^^^^^^^^^^^^^^^^^^^^^ +Changes in the Exchange API +^^^^^^^^^^^^^^^^^^^^^^^^^^^ The necessary changes in the exchange involve @@ -292,7 +292,7 @@ Refresh - reveal phase During the reveal phase -- that is upon POST to ``/refreshes/$RCH/reveal`` -- the client has to provide the original age commitment of the old coin (i.e. the vector of public keys), iff the corresponding denomination had support for age -restriction. The size of the vector ist defined by the Exchange implictely as +restriction. The size of the vector ist defined by the Exchange implicetly as the amount of age groups defined in the field ``.age_groups`` of the ``ExtensionAgeRestriction``. @@ -304,7 +304,7 @@ the amount of age groups defined in the field ``.age_groups`` of the // Iff the corresponding denomination has support for age restriction, // the client MUST provide the original age commitment, i.e. the vector // of public keys. - // The size of the vector ist defined by the Exchange implictely as the + // The size of the vector ist defined by the Exchange implicetly as the // amount of age groups defined in the field ``.age_groups`` of the // ``ExtensionAgeRestriction``. old_age_commitment?: EddsaPublicKey[]; @@ -342,7 +342,8 @@ purchase. ... } -Again, the exchange can now check the validity of the coin by evaluating +Again, the exchange can now check the validity of the coin with age restriction +by evaluating .. math:: \text{FDH}_N(C_p, h_a)\; \stackrel{?}{=}\; \left(\sigma_C\right)^{e} \;\;\text{mod}N @@ -357,10 +358,97 @@ TODO: maybe rename this field into something more opaque, like -Changes in the Merchant -^^^^^^^^^^^^^^^^^^^^^^^ +Changes in the Merchant API +^^^^^^^^^^^^^^^^^^^^^^^^^^^ -TODO: Spending protocol + +Claiming the order +------------------ + +If an order requires a minimum age, the merchant MUST express that required +minimum age in response to order claim by the wallet, that is, a POST to +``[/instances/$INSTANCE]/orders/$ORDER_ID/claim``. + +The object ``ContractTerms`` is extended by an optional field +``required_minimum_age`` that can be any integer greater than 0. In reality +this value will not be smaller than, say, 8, and not larger than, say, 21. + +.. ts:def:: ContractTerms + + interface ContractTerms { + ... + + // If the order requires a minimum age greater than 0, this field is set + // to the integer value of that age. In reality this value will not be + // smaller than, say, 8, and not larger than, say, 21. + required_minimum_age?: Integer; + + ... + } + +By sending the contract term with the field ``required_minimum_age`` set to an +non-zero integer value, the merchant implicetly signals that it understands the +extension ``age_restriction.v1`` for age restriction from the exchange. + + +Making the payment +------------------ + +If the ``ContractTerms`` had a non-zero value in field +``required_minimum_age``, the wallet has to provide evidence of that minimum +age + +#. by using coins which are of denominations that have age support enabled + +#. *and* ―for each coin― it has the right private key of the restricted age + commitment to the age group into which the required minimum age falls (i.e. + a non-empty entry at the right index in vector of EdDSA keys, see above). + +#. and signs the required minimum age with each coin's private key + corresponding to the age group, + +#. and sends ―for each coin― the complete age commitment and the signature to + the merchant. + + +For doing so, the object ``CoinPaySig`` used within a ``PayRequest`` during a +POST to ``[/instances/$INSTANCE]/orders/$ORDER_ID/pay`` is extended as follows: + +.. ts:def:: CoinPaySig + + export interface CoinPaySig { + ... + + // If a minimum age was required by the order and the wallet had coins that + // are at least commited to the corresponding age group, this is the + // signature of the minimum age as a string, using the private key to the + // corresponding age group. + minimum_age_sig?: EddsaSignature; + + // If a minium age was required by the order, this is age commitment bound + // to the coin, i.e. the complete vector of EdDSA public keys, one for each + // age group (as defined by the exchange). + age_commitment?: EddsaPublicKey[]; + + } + + +The merchant can now verify + +#. the validity of each (age restricted) coin by evaluating + + .. math:: \text{FDH}_N(C_p, h_a)\; \stackrel{?}{=}\; \left(\sigma_C\right)^{e} \;\;\text{mod}N + + Again, :math:`C_p` is the EdDSA public key of a coin, :math:`\sigma_C` is its + signature, :math:`\langle e, N \rangle` is the RSA public key of the + denomination and :math:`h_a` is the SHA512 hash value of the vector in + ``age_commitment``. + +#. the minimum age requirement by checking the signature in ``minimum_age_sig`` + against the public key ``age_commitment[k]`` of the corresponding age group, + say, ``k``. (The minimum age must fall into the age group at index ``k`` as + defined by the exchange) + Changes in the Wallet |